A multi-level computer security system often identifies authorized system users as well as “user agents” and other computer system hardware and/or software resources using “security tags” (or “security labels”) comprised of information access restrictions that can be organized into a data tuple (or similar data structure) containing the fields <security domain, security level, categories>. (See e.g., “Federal Information Processing Standards Publication 188”; 1994 Sep. 6, “Announcing the Standard for Standard Security Label for Information Transfer”.) The “security domain” describes the domain of interpretation of the “security level” and “categories” values, while the “security level” identifies the restricted access (classification) level of a user or computer resource (e.g., “UNCLASSIFIED”/“CONFIDENTIAL”/“SECRET”/“TOP SECRET”) ordered according to increasing (or decreasing) security level values indicating more (or less) restrictive access for a given item of information (respectively), and the “categories” (a set of zero or more) identify additional non-hierarchical restrictions or characteristics applicable to a user or resource (e.g., membership in an organization or department such as DOD, DOE, NSA). The multi-level “security label” is a special case of a generalized “security descriptor” (which may be a single value such as a “security level” or which may consist of multiple such “security attributes”) that is used to identify users and resources and determine appropriate use.
Two (or more) security labels are “equivalent” if they have the same “security tag” providing the same <security domain, security level, categories> restrictions, while security label “A” is said to “dominate” security label “B” in the same security domain if (1) the security level for “A” is equal to or higher than that of “B” and (2) all of the category restrictions identified for B are contained in (or are a subset of) the categories for A (where a given individual security label necessarily is equivalent to and/or dominates itself). A “range” of security labels from A to B may be defined if B dominates A (or vice versa) such that any security label “X” will fall within the range if it dominates security label “A” and is in turn dominated by security label “B” (or vice versa). In the generalized case, security descriptors can be defined to have a range.